Backdoor.Win32.Simbot_d53eaa886b

by malwarelabrobot on June 17th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.224722 (B) (Emsisoft), Gen:Variant.Kazy.224568 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d53eaa886b9f6ebda6eb9ace72289765
SHA1: a0955846e2863481f95a1fd86eb4fb31e56ed746
SHA256: 080729ae424311a680b37bde0dd3981e34e4d2a7af7bbcb0a45c97cf64e1066a
SSDeep: 384:zAFSSXtX4ncfyL016cVmYkhzTyVBZM1kpjbZrym882UACdxRS2lkg:zzc4wlKyzckphrF8UASxR g
Size: 20992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Premium Installer
Created at: 2010-11-06 05:06:34
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1144
regedit.exe:1604

The Backdoor injects its code into the following process(es):

svchost.exe:1236

File activity

The process %original file name%.exe:1144 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\RCX1.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)

The Backdoor deletes the following file(s):

C:\%original file name%.exe.tmp1 (0 bytes)

Registry activity

The process %original file name%.exe:1144 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 6F 64 8B 32 EF 89 4F FC C2 2A AD 65 C7 0A 54"

The process regedit.exe:1604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 44 61 7E 0C 3F 96 6E B4 C1 36 42 85 DC 7E AE"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wmi" = "%Documents and Settings%\%current user%\Local Settings\Wmi.exe"

Dropped PE files

MD5 File path
377886248e4c2678b7f33bf423b9aae8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Wmi.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 4392 4608 5.22707 9cc40aa30283d3abef7062dd7d0b6edb
.rdata 12288 1045 1536 2.51569 b09e1f7c28fc22c6f6859d92fabdae15
.data 16384 927 512 2.52675 b6f8e6aec2eeab060a4a4bbf08b7eb30
.rsrc 20480 12996 13312 5.4257 5fcf5950b62e1469f10a3916122e0e79

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
a74e26cae3dc4b39e6ea164f242940a5
be9988bc6789b1a398706a53184460c2
b56d8d9128be1bd449ed83b0587b8061

URLs

URL IP
hxxp://71.41.214.210/bkgxm.php?id=015847111D309F33E9


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN Taidoor Checkin
ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers

Traffic

GET /bkgxm.php?id=015847111D309F33E9 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 71.41.214.210
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Server: thttpd/2.19-MX Mar  4 2013
Content-type: text/html
Date: Sun, 15 Jun 2014 20:40:17 GMT
Last-modified: Sun, 15 Jun 2014 20:40:17 GMT
Accept-Ranges: bytes
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN".  "h
ttp://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<
;meta http-equiv='X-UA-Compatible' content='IE=EmulateIE9' />.<m
eta http-equiv="Content-Type" content="text/html; charset=UTF-8">.&
lt;meta http-equiv="Content-Script-Type" content="text/javascript">
.<meta http-equiv="Content-Style-Type" content="text/css">.<m
eta name="publisher" content="MOBOTIX AG, Germany">.<meta name="
copyright" content="MOBOTIX AG, Germany">.<link rel="SHORTCUT IC
ON" href="/favicon.ico">.<link rel="apple-touch-icon" href="/app
le-touch-icon.png">.<meta name="author" content="Daniel Kabs, MO
BOTIX AG, Germany">.<link rel="owner" href="mailto:info@mobotix.
com">.<link rel="copyright" href="/about.html" title="Copyright"
>..<style type='text/css'>.body {.   font-family:Helvetica,Ar
ial,sans-serif;.   font-size:80%;.}.pre,textarea { font-family:monospa
ce; }..headtablesmall {  font-size:125%;  }..standard {} /* obsolete *
/..mxSubmitButton {.   width: 110px;.   margin:2px 0;.}..mxErrorMessag
e {.  color:red;.  background-color:yellow;.  font-weight:bold;.  padd
ing:5px;.}..mxFooterWarning {.  padding:5px;.  margin:0;.  background-
color:#DDDDDD;.  color:red;.  font-weight:bold;.}..mxFooterNote {.  pa
dding:5px;.  margin:0;.  background-color:#DDDDDD;.}..mxSubmitbuttonsR
ow {.  background-color:#DDDDDD;.  border-collapse:collapse;.}..mxSubm
itbuttonsRow td {.  padding:5px;.}..mxReadOnly {.  background:#eee
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

svchost.exe_1236:

.text
`.rdata
@.data
SSh@C@
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
USER32.dll
ADVAPI32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
WS2_32.dll
iphlpapi.dll
SHLWAPI.dll
71.56.69.34
71.41.214.210
yahoofacebook.345.pl
regedit.exe /s
~dfds3.reg
Windows Registry Editor Version 5.00
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
%s.tmp1
[email protected]
http://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
http://%s:%d/%s.php?id=d%s
%c%c%c%c%c
/%s.php?id=d%s
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
X-X-X-X-X-X
01-01-01-01-01-01
%c%c%c%c%c%c.exe

svchost.exe_1236_rwx_00400000_00005000:

.text
`.rdata
@.data
SSh@C@
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
USER32.dll
ADVAPI32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
WS2_32.dll
iphlpapi.dll
SHLWAPI.dll
71.56.69.34
71.41.214.210
yahoofacebook.345.pl
regedit.exe /s
~dfds3.reg
Windows Registry Editor Version 5.00
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
%s.tmp1
[email protected]
http://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
http://%s:%d/%s.php?id=d%s
%c%c%c%c%c
/%s.php?id=d%s
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
X-X-X-X-X-X
01-01-01-01-01-01
%c%c%c%c%c%c.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1144
    regedit.exe:1604

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
    C:\RCX1.tmp (23552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
    C:\%original file name%.exe.tmp1 (373 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Wmi" = "%Documents and Settings%\%current user%\Local Settings\Wmi.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now